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DETAILED ACTION 

1. Claims 1, 2, 4-10, 12-19, 21, 22, 28-35, 40-42 and 45-52. Claims 3, 1 1, 20, 23- 
27, 36-39 and 43-44 are cancelled. 

Response to Arguments 

2. Applicant's arguments filed August 3, 2006 have been fully considered but they 
are not persuasive. 

With regard to Applicant's argument that Shostack does not disclose and would 
not have suggested that the application determine, at the local server, an anomaly at the 
client locations based on at least the possible security problems at the client locations 
Examiner respectfully disagrees. Shostack discloses a Network Security Detector (NSD) 
that contains niany different appUcations at the local server (4:1 7-22). This NSD at the 
local server determines various anomalies based on its monitoring of the network which 
includes the client locations (6:37-7:35). In particular application 44 monitors the 
network (7:5-10), in addition, the NSD can also perform a comprehensive security 
assessment of the entire network assessing operating systems of various computers and 
monitors the network for security vulnerabilities and provides a report of all security 
breaches which would constitute an anomaly at the client location determined at the NSD 
which resides at the local server (7:20-30). 

3. Claim 40 rejected under 35 U.S.C. 102(e) as being anticipated by Lyle, U.S. 
Patent No. 6,886,102. 
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Claim Rejections - 35 USC § 103 
The text of those sections of Title 35, U.S. Code not included in this action can be 
found in a prior Office action. 

4. Claims 1-2, 6-8, 9-10, 14-22, 28-34 and 41, 45, 46, 48 rejected under 35 
U.S.C. 103(a) as being unpatentable over Shostack et al. (Shostack), U.S. Patent No. 
6,298,445 in view of Lyle, U.S. Patent No. 6,886,102 and further in view of Shipley, U.S. 
Patent No. 6,119,236. 
As per claim 1 : 

Shostack discloses a method comprising: 

detecting possible security problems at client locations (6:43-46, wherein an 
intrusion is a possible security problem); 

transmitting notice of the possible security problems across a network in real time 
to a home location remotely located from the locations (6:53-57, wherein sending an 
alarm functions as transmitting notice of the possible security problem and the system 
administrator resides at a home location which is the local server); 

determining at the home location an anomaly based on at least the possible 
security problems (7:15-16, wherein the security vulnerabilities function as anomalies 
and the local server is the home location); and 

transmitting notice of the anomaly in real time to the client locations (7:57-63; 
9:10-21, wherein the software enhancement being sent is the notice of the security 
vulnerability, which functions as the anomaly). 

Shostack fails to teach transmitting notice of the anomaly to the client location at 
which the possible security problem is detected. However, Lyle discloses a method 
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wherein an event, which consists of an actual or suspected attack, is determined based on 
information gleaned from an internal source called a sniffer (6:52-7: 1 8). Lyle also 
discloses a method wherein the responsive action, such as a message is sent to the device 
with the actual or suspected attack (8:2 1 -59). 

Shostack and Lyle fail to teach updating, in real time, firewalls protecting the 
client locations to account for the anomaly. However, Shipley discloses a method 
wherein a firewall is dynamically programmed, in real time, to allow for the firewall to 
change its response to various security breaches that occur (7:58-8:41). 

As per claim 9, this is a computer readable medium version of the claimed 
method discussed above in claim 1 wherein all claimed limitations have also been 
addressed and/or cited as set forth above. 

As per claim 2: 

Shostack fiirther discloses a method further comprising transmitting notice of the 
anomaly in real time to other client locations that may communicate with the home 
location over the network (6:58-59, wherein information about the network status 
includes anomalies found). 

As per claim 10, this is a computer readable medium version of the claimed 
method discussed above in claim 2 wherein all claimed limitations have also been 
addressed and/or cited as set forth above. 

As per claim 6: 

Shostack further discloses a method in which the anomaly includes unauthorized 
access to the network (4:64-67; 5:1, wherein this is an example of a security vulnerability 
(4:47-48) and the security vulnerabilities function as anomalies). 
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As per claim 14, this is a computer readable medium version of the claimed 
method discussed above in claim 6 wherein all claimed limitations have also been 
addressed and/or cited as set forth above. 

As per claim 7: 

Shostack further discloses a method in which the anomaly includes unauthorized 
access of a resource accessible through the network (5:1-4, wherein the program library is 
a network resource). 

As per claim 15, this is a computer readable medium version of the claimed 
method discussed above in claim 7 wherein all claimed limitations have also been 
addressed and/or cited as set forth above. 

As per claim 8: 

Shostack further discloses a method in which the anomaly includes unauthorized 
use of resources available through the network (6:10-13, wherein seeing the disk is using 
a network resource). 

As per claim 16, this is a computer readable medium version of the claimed 
method discussed above in claim 8 wherein all claimed limitations have also been 
addressed and/or cited as set forth above. 

As per claims 1 7 and 40: 

Shostack discloses a method comprising: 

At a home location in a network, receiving from at least two remote clients 
indications of possible security problems at the clients (6:66-67; 7:1, the first appUcation 
is used to transmit notice of possible security problems and the second application 
functions to receive information from the first application.); 
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determining in real time at the home location an existence of an anomaly based on 
at least the indications of the possible security problems (7:20-27, wherein the security 
vulnerabilities function as anomalies). 

Sending in real time, from a home location to a remote clients, information for 
updating security software to protect the remote clients to account for the anomaly 
(abstract, 2:31-3:37). 

Shostack fails to teach receiving indications of possible security problems from at 
least two remote clients. However, Lyle discloses a method wherein messages of 
possible anomalies comes from a sniffer, which can scan one or more clients on the 
network, and a message from another domain that may contain anomalies (6:52-7:65). 

Shostack and Lyle fail to teach the updates being applied to a firewall. However, 
Shipley discloses dynamically programming firewalls in real time to account for an 
anomaly (7:58-8:41). 

It would have been obvious to one of ordinary skill in the art at the time of 
applicant's invention to combine the inventions of Shostack and Lyle with the invention 
of Shipley because each uses firewalls in their own inventions individually (Lyle, 6:37- 
51; Shostack, 4:13-21) and utilizing Shipley's real time dynamic programming of the 
firewalls would allow the firewalls to better protect their respective networks since it 
would constantly be modified to account for the newest threats (Shipley, 2:56-65). 

As per claim 18: 

Shostack further discloses a method fiirther comprising transmitting notice of the 
existence of the anomaly in real time from the home location to the remote client 
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locations (7:57-63, wherein the software enhancement being sent is the notice of the 
security vulnerability, which functions as the anomaly). 
Asper claim 19: 

Shostack further discloses a method further comprising notice of the existence of 
transmitting the anomaly in real time from the home location to other remote client 
locations that may communicate with the home location over the network (6:58-59, 
wherein information about the network status includes anomalies found). 

As per claim 21: 

Shostack further discloses a method of claim further comprising transmitting 
infoimation from the home location to the remote client locations to help the remote 
client location identify possible security problems (13:7-9, wherein the database updates 
to the security vulnerabilities helps to identify possible security problems). 

As per claim 22: 

Shostack further discloses a method further comprising determining the existence 
of the anomaly based on at least information regarding previous anomalies (9:56-63, 
wherein the database contains a log of all of the previous security vulnerabilities which 
function as anomalies). 

As per claim 29: 

Lyle further discloses an apparatus in which the first mechanism also determines 
the anomaly based on at least information regarding previously determined anomalies 
(7:66-8:11). 

As per claim 30: 

Shostack discloses a system comprising: 
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a server (9:10); 

for each of the client terminals, 

a first client mechanism accessible by the client terminal to detect a possible 
security problem at the client terminal (6:43-46, wherein an intrusion is a possible 
security problem), 

a second client mechanism accessible by the client terminal to transmit notice of 
the possible security problem across a network in real time to a server remotely located 
from the client terminal (6:53-57, wherein sending an alarm functions as transmitting 
notice of the possible security problem), and 

a third client mechanism accessible by the client terminal to receive updates from 
the server in real time regarding security problems that the first client mechanism may 
use in detecting possible security problems (7:57-63; 9:10-21, wherein the client receives 
the software enhancement updates which fimction as updates fi^om the server about 
security problems); 

a first server mechanism accessible by the server to determine an anomaly based 
on at least information fi-om a client regarding a possible security problems (7:15-16, 
wherein the security vulnerabilities function as anomalies and the local server is the home 
location); and 

a second server mechanism accessible by the server to transmit notice of the 
anomaly in real time over the network to the client terminals (7:57-63; 9:10-21, wherein 
the software enhancement being sent is the notice of the security vulnerability, which 
functions as the anomaly). 
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Shostack fails to teach receiving indications of possible security problems from at 
least two remote clients. However, Lyle discloses a method wherein messages of 
possible anomalies comes from a sniffer, which can scan one or more clients on the 
network, and a message from another domain that may contain anomalies (6:52-7:65). 
Lyle also discloses a method wherein the responsive action, such as a message is sent to 
the device with the actual or suspected attack (8:21-59). 

Shostack and Lyle fail to teach the updates being applied to a firewall. However, 
Shipley discloses dynamically programming firewalls in real time to account for an 
anomaly (7:58-8:41). 

As per claim 28 this is an apparatus version of the claimed system discussed 
above in claim 30 wherein all claimed limitations have also been addressed and/or cited 
as set forth above. 

As per claim 32: 

Shostack fiirther discloses a system in which the first server mechanism is also 
configured to determine the anomaly based on at least information regarding previously 
determined anomalies (9:56-63, wherein the database contains a log of all of the previous 
security vulnerabilities which fiinction as anomalies). 

As per claim 33: 

Shostack fiirther discloses a system in which the second server mechanism is also 
configured to transmit notice of the anomaly in real time to other client locations that 
may communicate with the server over the network (6:58-59, wherein information about 
the network status includes anomalies found). 

As per claim 34: 



Application/Control Number: 1 0/0 1 0,743 Page 
Art Unit: 2132 

Shostack further discloses a system further comprising a firewall located between 
the client terminals and the server and configured to act as an intermediary for 
information flowing between the client terminals and the server (4:19-24, since the server 
is remotely connected to the network 20 (9:13-14; fig 2, item 20), the placement of the 
firewall makes it an intermediary between the external server and the client, therefore, the 
firewall's functionality as a fiUer shows that information flows between the server and 
client). 

As per claim 41: 

Shostack discloses a method comprising: 

detecting a possible security problem at a client location (6:43-46, wherein an 
intrusion is a possible security problem); 

transmitting notice of the possible security problem across a network in real time 
to a home location remotely located from the location (6:53-57, wherein sending an alarm 
functions as transmitting notice of the possible security problem and the system 
administrator resides at a home location which is the local server); 

transmitting notice of the anomaly in real time to the client location (7:57-63; 
9:10-21, wherein the software enhancement being sent is the notice of the security 
vulnerability, which functions as the anomaly). 

Shostack fails to teach determining at the home location an anomaly based on the 
possible security problem. However, Lyle discloses searching for a particular file type 
associated with a known intrusion technique (10:44-59). 

Shostack and Lyle fail to teach determining an anomaly by searching for 
particular information in the anomaly. However, Shipley discloses a method wherein the 
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type of information being searched for includes commands restricted to one type of user 
followed by commands restricted to another type of user all coming from the same sender 
address (6:4-30). 

As per claims 45 and 48: 

Shipley further discloses a method further comprising storing and performing 
complex analysis of anomaly trends by using a complexity theory mechanism (5:58-6:3). 
As per claim 46: 

Lyle further discloses a method wherein a wide view mechanism such as an 
analysis framework module, collects and maintains information regarding events reported 
to the server (7:50-65) which includes a statistics mechanism to compute and store 
records of events (8 : 1 2-20). 

As per claims 47 and 49: 

Lyle further discloses a method further comprising a statistics mechanism to 
compute and store records of anomalies (8:12-39). 
As per claims 50 and 51 : 

Shipley further discloses a method further comprising updating, in real time, a 
firewall protecting the client location to account for the anomaly (7:58-8:41). 

It would have been obvious to one of ordinary skill in the art at the time of 
applicant's invention to combine the inventions of Shostack and Lyle because in order to 
make a system less vulnerable to attack as stated in Shostack (2:18-28), not only do 
vulnerabilities updates need to be disseminated, but tracking the hacker who breached the 
security is also essential in the security of a system against intrusions in order t ensure 
that the same person cannot do so again. 
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It would have been obvious to one of ordinary skill in the art at the time of 
applicant's invention to combine the inventions of Shostack and Lyle with the invention 
of Shipley because each uses firewalls in their own inventions individually (Lyle, 6:37- 
51; Shostack, 4:13-21) and utilizing Shipley's real time dynamic programming of the 
firewalls would allow the firewalls to better protect their respective networks since it 
would constantly be modified to account for the newest threats (Shipley, 2:56-65). 
5. Claims 4, 12 and 3 1 rejected under 35 U.S.C. 103(a) as being unpatentable over 
Shostack (U.S. 6,298,445) in view of Lyle (U.S. 6,886,102) in view of Shipley (U.S. 
6,1 19,236) as applied to claims 1, 9, 23, 26 and 30 above and fiirther in view of Baker, 
U.S. Patent No. 6,775,657. 

As per claim 4: 

Shostack, Lyle and Shipley fail to teach a method further comprising inspecting a 
packet that arrives at the client location to detect the possible security problem. 
However, Baker discloses a method wherein a network based intrusion detection system 
analyzes network packet data to make security decisions (1 :41-42; 46-53). It would have 
been obvious to one of ordinary skill in the art at the time of applicant's invention to 
analyze a packet that arrives at the client in order to make security decisions because this 
would make the intrusion detection system scale well for network protection since it is 
the amount of traffic that determines performance, therefore it would also be easier to 
control and improve performance of the network as a whole (1 :53-60). 

As per claim 12, this is a computer readable medium version of the claimed 
method discussed above in claim 4 wherein all claimed limitations have also been 
addressed and/or cited as set forth above. 
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As per claim 31: 

Shostack, Lyle and Shipley fail to teach a system in which the first mechanism is 
also configured to monitor packets that arrive at the client terminal for the possible 
security problem. However, Baker discloses a method wherein a network based intrusion 
detection system analyzes network packet data to make security decisions (1 :41-42; 46- 
53). 

It would have been obvious to one of ordinary skill in the art at the time of 
applicant's invention to analyze a packet that arrives at the client in order to make 
security decisions because this would make the intrusion detection system scale well for 
network protection since it is the amount of traffic that determines performance, therefore 
it would also be easier to control and improve performance of the network as a whole 
(1:53-60). 

It would have been obvious to one of ordinary skill in the art at the time of 
applicant's invention to combine the inventions of Shostack and Lyle because in order to 
make a system less vulnerable to attack as stated in Shostack (2:18-28), not only do 
vulnerabilities updates need to be disseminated, but tracking the hacker who breached the 
security is also essential in the security of a system against intrusions in order t ensure 
that the same person cannot do so again. 

It would have been obvious to one of ordinary skill in the art at the time of 
applicant's invention to combine the inventions of Shostack and Lyle with the invention 
of Shipley because each uses firewalls in their own inventions individually (Lyle, 6:37- 
51; Shostack, 4:13-21) and utilizing Shipley's real time dynamic programming of the 
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firewalls would allow the firewalls to better protect their respective networks since it 
would constantly be modified to account for the newest threats (Shipley, 2:56-65). 
6. Claims 5, 13 and 35 rejected under 35 U.S.C. 103(a) as being unpatentable over 
Shostack (U.S. 6,298,445) in view of Lyle (U.S. 6,886,102) as applied to claims 1, 9 and 
30 above and further in view of Bowman- Amuah, U..S. Patent No. 6,697,824. 
As per claim 5: 

Shostack and Lyle fail to teach a method in which the network includes a virtual 
private network. However, Bowman- Amuah discloses a method wherein a network is 
protected fi'om unauthorized access through the encryption services provided by Virtual 
Private Networking (75:64-65, fig 36). It would have been obvious to one of ordinary 
skill in the art at the time of applicant's invention to include a virtual private network 
with the network because of the added security benefits a VPN affords a system against 
unauthorized users. 

As per claim 13, this is a computer readable medium version of the claimed 
method discussed above in claim 5 wherein all claimed limitations have also been 
addressed and/pr cited as set forth above. 

As per claim 35: 

Shostack and Lyle fail to teach a system in which at least one of the firewalls 
includes a corporate server. However, Bowman- Amuah discloses a method wherein a 
corporate firewall includes a corporate server at a corporate headquarters (75:65-66; 
76:19-23). It would have been obvious to one of ordinary skill in the art at the time of 
applicant's invention to include a corporate server with the firewall because if the 
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intrusion detection system were to be used in a business setting the firewalls would 
provide increased access control for the intemal network (76:21-23). 

It would have been obvious to one of ordinary skill in the art at the time of 
applicant's invention to combine the inventions of Shostack and Lyle because in order to 
make a system less vulnerable to attack as stated in Shostack (2:18-28), not only do 
vulnerabilities updates need to be disseminated, but tracking the hacker who breached the 
security is also essential in the security of a system against intrusions in order t ensure 
that the same person cannot do so again. 

It would have been obvious to one of ordinary skill in the art at the time of 
applicant's invention to combine the inventions of Shostack and Lyle with the invention 
of Shipley because each uses firewalls in their own inventions individually (Lyle, 6:37- 
51; Shostack, 4:13-21) and utilizing Shipley's real time dynamic programming of the 
firewalls would allow the firewalls to better protect their respective networks since it 
would constantly be modified to account for the newest threats (Shipley, 2:56-65). 
7. Claims 42 and 52 rejected under 35 U.S.C. 103(a) as being unpatentable over 
Shostack (U.S. 6,298,445) in view of Lyle (U.S. 6,886,102) and fiirther in view of 
Moran, U.S. Patent No. 6,826,697. 

As per claim 42: 

Shostack discloses a method comprising: 

detecting a possible security problem at a client location (6:43-46, wherein an 
intrusion is a possible security problem); 

transmitting notice of the possible security problem across a network in real time 
to a home location remotely located from the location (6:53-57, wherein sending an alarm 
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functions as transmitting notice of the possible security problem and the system 
administrator resides at a home location which is the local server); 

transmitting notice of the anomaly in real time to the client location (7:57-63; 
9:10-21, wherein the software enhancement being sent is the notice of the security 
vulnerability, which functions as the anomaly). 

Shostack fails to teach determining at the home location an anomaly by at least 
comparing the possible security problem with information previously logged at the home 
location, including searching for an unexpected login. However, Lyle discloses a method 
wherein the event, which consists of an attack, is compared to other events that have 
occurred (7:50-8:11). 

Shostack and Lyle fail to teach a method in which determining the anomaly 
comprises searching for an unexpected login. However, Moran discloses a method 
wherein failed login attempts are logged (19:41-20:18). A failed login attempt is an 
unexpected login since it is not a correct login. The login is not expecting for the login 
information to be wrong, therefore a failed login qualifies as an unexpected login by an 
unexpected user. 

It would have been obvious to one of ordinary skill in the art at the time of 
applicant's invention to combine the inventions of Shostack and Lyle with Moran 
because in order to make a system less vulnerable to attack as stated in Shostack (2:18- 
28), the ability to detect further types of attacks such as forward and backward time steps 
in a log file or an overflow buffer attack as stated in Moran (4:1-37) would increase the 
security against attacks as a whole. 
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Conclusion 

THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of 
time policy as set forth in 37 CFR 1 .136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the 
advisory action. In no event, however, will the statutory period for reply expire later than 
SIX MONTHS from the mailing date of this final action. 

Any inquiry conceming this communication or earlier conununications from the 
examiner should be directed to Kristin D. Sandoval whose telephone number is 571-272- 
7958. The examiner can normally be reached on Monday - Friday, 8:00-5:30. 

If attempts to reach the examiner by telephone are unsuccessfiil, the examiner's 
supervisor, Gilberto Barron can be reached on 571-272-3799. The fax phone number for 
the organization where this application or proceeding is assigned is 571-273-8300. 
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Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. Status 
information for unpublished applications is available through Private PAIR only. For 
more information about the PAIR system, see http://pair-direct.uspto.gov. Should you 
have questions on access to the Private PAIR system^ contact the Electronic Business 
Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO 
Customer Service Representative or access to the automated information system, call 
800-786-9199 (IN USA OR CANADA) or 571-272-1000. 
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Examiner 

Art Unit 2132 



GILBERTO BARRON 3(L 
SUPERVISORY PATENT EXAMINER 
TECHNOLOGY CENTER 2100 



